From a211fee393fc05119710f9db83511085786010f1 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 14 Feb 2014 13:04:18 +0100 Subject: [PATCH] firewall: Use --wait for all iptables commands. --- config/firewall/firewall-policy | 40 ++++++++++++++++++--------------- config/firewall/rules.pl | 34 ++++++++++++++-------------- 2 files changed, 39 insertions(+), 35 deletions(-) diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy index 6d26d5b2c..773e5cea6 100755 --- a/config/firewall/firewall-policy +++ b/config/firewall/firewall-policy @@ -23,6 +23,10 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings) eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) +function iptables() { + /sbin/iptables --wait "$@" +} + iptables -F POLICYFWD iptables -F POLICYOUT iptables -F POLICYIN @@ -52,15 +56,15 @@ esac case "${FWPOLICY2}" in REJECT) if [ "${DROPINPUT}" = "on" ]; then - /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" + iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" fi - /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" + iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" ;; *) # DROP if [ "${DROPINPUT}" = "on" ]; then - /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" + iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi - /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" + iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" ;; esac @@ -70,15 +74,15 @@ case "${POLICY}" in case "${FWPOLICY}" in REJECT) if [ "${DROPFORWARD}" = "on" ]; then - /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" fi - /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" + iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" ;; *) # DROP if [ "${DROPFORWARD}" = "on" ]; then - /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" fi - /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" ;; esac ;; @@ -86,14 +90,14 @@ case "${POLICY}" in *) if [ -n "${IFACE}" ]; then if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then - /sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP + iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP fi if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then - /sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP + iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP fi fi - /sbin/iptables -A POLICYFWD -j ACCEPT - /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP + iptables -A POLICYFWD -j ACCEPT + iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP ;; esac @@ -103,21 +107,21 @@ case "${POLICY1}" in case "${FWPOLICY1}" in REJECT) if [ "${DROPOUTGOING}" = "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" + iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" fi - /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" ;; *) # DROP if [ "${DROPOUTGOING}" == "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" + iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" fi - /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" ;; esac ;; *) - /sbin/iptables -A POLICYOUT -j ACCEPT - /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP + iptables -A POLICYOUT -j ACCEPT + iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP ;; esac diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 43807647c..09e8ae618 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -60,7 +60,7 @@ my $blue = ''; my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); my $CHAIN = "FORWARDFW"; my $conexists = 'off'; -my $command = 'iptables -A'; +my $command = 'iptables --wait -A'; my $dnat =''; my $snat =''; @@ -111,7 +111,7 @@ if($param eq 'flush'){ system ("/usr/sbin/firewall-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ &p2pblock; - system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); + system ("iptables --wait -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); system ("/usr/sbin/firewall-policy"); system ("/etc/sysconfig/firewall.local reload"); } @@ -119,11 +119,11 @@ if($param eq 'flush'){ } sub flush { - system ("iptables -F FORWARDFW"); - system ("iptables -F INPUTFW"); - system ("iptables -F OUTGOINGFW"); - system ("iptables -t nat -F NAT_DESTINATION"); - system ("iptables -t nat -F NAT_SOURCE"); + system ("iptables --wait -F FORWARDFW"); + system ("iptables --wait -F INPUTFW"); + system ("iptables --wait -F OUTGOINGFW"); + system ("iptables --wait -t nat -F NAT_DESTINATION"); + system ("iptables --wait -t nat -F NAT_SOURCE"); } sub preparerules { @@ -150,9 +150,9 @@ sub buildrules my $icmptype; foreach my $key (sort {$a <=> $b} keys %$hash){ next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); - $command="iptables -A"; + $command="iptables --wait -A"; if ($$hash{$key}[28] eq 'ON'){ - $command='iptables -t nat -A'; + $command='iptables --wait -t nat -A'; $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); if($$hash{$key}[31] eq 'dnat'){ $nat='DNAT'; @@ -303,7 +303,7 @@ sub buildrules } } } - print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + print "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; next; #PROCESS SNAT RULE }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ @@ -318,14 +318,14 @@ sub buildrules if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } #PROCESS Prot ICMP and type = All ICMP-Types if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } } @@ -387,7 +387,7 @@ sub buildrules } } } - system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + system "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; next; #PROCESS SNAT RULE }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ @@ -402,14 +402,14 @@ sub buildrules if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } #PROCESS Prot ICMP and type = All ICMP-Types if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } } @@ -504,11 +504,11 @@ sub p2pblock } if ($MODE eq 1){ if($P2PSTRING){ - print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; + print"/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; } }else{ if($P2PSTRING){ - system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO"); + system("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO"); } } } -- 2.39.2